AllGoodBits.org

Serving HTTP with nginx

Web server configuration, like most anything else in this game, depends on your situation. Your server hardware, OS, network connectivity, application requirements, client access patterns, performance requirements, tolerance for failure, etc., etc. are not necessarily the same as mine. These configuration suggestions will get you going with something reasonable, something that's good enough for HTTP services that are not mission-critical. Having said that, it's intended to be a good starting point for the things that are mission critical; not to be blindly copy-pasted, but to get a flying start in the right direction.

These are complex tools and it's not always predictable whether a particular change might improve your success or not. Therefore, if you want to serve HTTP well (high performance or low resource usage or HA, etc.), you'll need to test, measure and evaluate based on your workload and your situation. I'll not labour it too hard here, but optimization effort without detailed, well-interpreted information coming out of well recorded, well presented data collection is a waste of time. Having said that, if you have a common situation with a PHP webapp such as Wordpress, you can get a most-of-the-way-there solution by using nginx, php-fpm and microcaching.

One last comment in that area: if you don't measure carefully, you may spend your efforts in the wrong areas; if you performance bottleneck is one area, then any effort at all in another area is a waste of time. For example, if it's your application code that's your bottleneck, tuning your HTTP server doesn't help, if you're database service is crawling through molasses, tuning the PHP bytecode caching pointless and so on.(For more on this, look into the more IT focused work in the area of the theory of operations; people like Gene Kim, building on work by W. Edwards Deming, Goldratt, et al.).

Note that picking SSL ciphers correctly is difficult, you'll need to understand the relative (performance/security) costs and benefits. This list is admittedly somewhat cargo-cult, but is drawn up based on my research (current at the time, but of course destined to obsolesce) from reading the work of those who only focus on these areas. If you're trying to avoid being low-hanging fruit, these will serve you well, at least for a while. If you need to protect against serious/targetted attack, you'll need to do your own research and gather your own understanding from primary sources. I'm a generalist, not a security/crypto specialist. Caveat lector.